CLAIM LISTING 



1. (Original) A method comprising: 

provisioning a symmetric cryptographic key across multiple clients through multiple 
embedded agents, each client having one of the embedded agents, one embedded agent in each 
client having an embedded agent to store the symmetric cryptographic key in a storage accessible 
to the embedded agent and not directly accessible to a host processor on the client; and 

providing access to an encrypted traffic flow in a network to a client if the client is 
authenticated with the key. 

2. (Original) A method according to claim 1 , wherein provisioning the key through the 
embedded agents further comprises provisioning the key through an embedded agent having 
network access via a network link not visible to a host operating system (OS) running on the 
client. 

3. (Original) A method according to claim 2, wherein providing access to the traffic flow if 
the client is authenticated comprises the embedded agent authenticating the client over the 
network line not visible to the host OS. 

4. (Original) A method according to claim 1, wherein providing access to the traffic flow 
further comprises providing multiple clients access with the key to nodes in the network, the 
nodes in the network to decrypt the traffic flow and subsequently encrypt the traffic flow to 
transmit the traffic to a next node in the network. 

5. (Original) A method according to claim 1 , further comprising updating at a client the 
symmetric cryptographic key provisioned across the multiple clients through a public and private 
key exchange with a public and private key associated the client. 

6. (Original) A method according to claim 1, wherein providing access if the client is 
authenticated further comprises: 
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the embedded agent verifying that a platform associated with the client is not 
compromised; and 

the embedded agent providing the key and an assertion that the client is not compromised 
to a verification entity on the network. 

7. (Original) A method according to claim 6, further comprising the embedded agent 
indicating to a remote network device if the client is compromised. 

8. (Original) A method according to claim 6, further comprising the embedded agent 
foreclosing network access to the client if the client is compromised. 

9. (Original) A method according to claim 1 , further comprising the embedded agent 
performing cryptographic functions on data with the key to authenticate data with the key. 

10. (Original) A method according to claim 1, further comprising the embedded agent 
including a derivative of the key in a header of data to be transmitted to authenticate the data 
with the key. 

11. (Currently Amended) An apparatus comprising: 

a host platform on the apparatus including a host processor; 

a secure memory not visible to applications and an operating system (OS) running on the 
host platform; and 

an embedded computational device communicatively coupled with the host platform, the 
embedded device to have a network link transparent to the host processor and the OS, the 
embedded device to manage a cryptographic key shared among the apparatus and network 
endpoints to be used to communicate with a server over the network, to receive the cryptographic 
key on the transparent link and authenticate the apparatus, and to store the cryptographic key in 
the secure memory. 
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12. (Original) An apparatus according to claim 11, wherein the embedded device to have 
transparent network link comprises the embedded device to have a network connection not 
accessible by the host platform, the link to comply with the transport layer security (TLS) 
protocol. 

13. (Original) An apparatus according to claim 11, wherein the embedded device to have a 
transparent network link comprises the embedded device to have a network connection not 
accessible by the host platform, the link to comply with the secure sockets layer (SSL) protocol. 

14. (Original) An apparatus according to claim 11, wherein the embedded device to 
authenticate the apparatus comprises the embedded device to verify the identity of the apparatus 
to a network switching device with the key, the key to also be used by the network endpoints to 
verify their respective identities to the network switching device, and the network switching 
device to decrypt encrypted traffic from the apparatus and the network endpoints. 

15. (Original) An apparatus according to claim 11, wherein the embedded device to 
authenticate the apparatus comprises the embedded device to hash traffic to be transmitted with 
the key. 

16. (Original) An apparatus according to claim 11, wherein the embedded device to 
authenticate the apparatus comprises the embedded device to perform cryptographic services 
with the key on traffic to be transmitted. 

17. (Original) An apparatus according to claim 11, wherein the embedded device to 
authenticate the apparatus comprises the embedded device to include a derivative of the key in a 
header of traffic to be transmitted. 

18. (Original) An apparatus according to claim 11, further comprising a second embedded 
computational device, the second embedded device integrated on the host platform, to verify the 
security of the host platform. 



Application No.: 10/809,315 
Attorney Docket No.: 42P19299 



-5- 



Examiner: K.L. Schmidt 
Art Unit: 2139 



19. (Currently Amended) An apparatus according to claim 18, wherein the first embedded 
device does to not authenticate the apparatus if the second embedded device determines the host 
platform is not secure. 

20. (Original) An apparatus according to claim 18, further comprising a bi-directional private 
bus between the first and second embedded devices. 

21. (Original) An apparatus according to claim 1 1 , further comprising a counter mode 
hardware cryptographical module on the host platform to encipher traffic with the cryptographic 
key and further provide a counter mode enciphering of the enciphered traffic. 

22. (Currently Amended) A system comprising: 
a host platform including a host processor; 

a digital signal processor (DSP) coupled with the host platform; and 
an embedded chipset including a secure key storage module to perform cryptographic key 
management of a shared cryptographic key with the secure key storage module and a private 
communication channel accessible to the chipset and not the host platform, and to access the an 
image of the host platform on the a flash accessible to the DSP and not to the host processor 
to determine the integrity of the host platform, the shared cryptographic key to be used by the 
host platform to encipher data and other networked devices within a virtual private network. 

23. (Original) A system according to claim 22, wherein the embedded chipset to perform 
cryptographic key distribution with the private communication channel comprises the embedded 
chipset to perform cryptographic key distribution with a communication channel complying with 
the transport layer security (TLS) protocol. 

24. (Original) A system according to claim 22, wherein the embedded chipset comprises an 
embedded controller agent and an embedded firmware agent, the firmware agent to determine 
the integrity of the host platform, and the controller agent to operate the private communication 
channel and manage access by the host platform to secure network connections. 
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25. (Currently Amended) A system according to claim 24, further comprising a bi- 
directional private communication path between the first and second embedded device ? 
embedded controller agent and the embedded firmware agent to allow the devices aj 
interoperate outside the awareness a context of the host platform. 

26. (Original) A system according to claim 22, further comprising the embedded chipset to 
hash traffic to be transmitted with the key to authenticate the system to one of the other 
networked devices. 

27. (Original) A system according to claim 22, further comprising the embedded chipset to 
perform cryptographic services with the key on traffic to be transmitted to authenticate the 
system to one of the other networked devices. 

28. (Original) A system according to claim 22, further comprising the embedded chipset to 
include a derivative of the key in a header of traffic to be transmitted to authenticate the system 
to one of the other networked devices. 

29. (Currently Amended) An article of manufacture comprising a tangible machine 
accessible medium having content stored thereon to provide instructions to cause a machine to 
perform operations including: 

provisioning a symmetric cryptographic key across multiple clients through multiple 
embedded agents, each client having one of the embedded agents, one embedded agent in each 
client having an embedded agent to store the symmetric cryptographic key in a storage accessible 
to the embedded agent and not directly accessible to a host processor on the client; and 

providing access to an encrypted traffic flow in a network to a client if the client is 
authenticated with the key. 

30. (Original) An article of manufacture according to claim 29, wherein the content to 
provide instruction to cause the machine to perform operations including provisioning the key 
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through the embedded agents further comprises the content to provide instruction to cause the 
machine to perform operations including provisioning the key through an embedded agent 
having network access via a network link not visible to a host operating system (OS) running on 
the client. 

31. (Currently Amended) An article of manufacture according to claim 31 claim 30 , 

wherein the content to provide instruction to cause the machine to perform operations including 
providing access to the traffic flow if the client is authenticated comprises the content to provide 
instruction to cause the machine to perform operations including authenticating the client with 
the embedded agent over the network line not visible to the host OS. 

32. (Original) An article of manufacture according to claim 29, wherein the content to 
provide instruction to cause the machine to perform operations including providing access to the 
traffic flow further comprises the content to provide instruction to cause the machine to perform 
operations including providing multiple clients access with the key to nodes in the network, the 
nodes in the network to decrypt the traffic flow and subsequently encrypt the traffic flow to 
transmit the traffic to a next node in the network. 

33. (Original) An article of manufacture according to claim 29, further comprising the 
content to provide instruction to cause the machine to perform operations including updating at a 
client the symmetric cryptographic key provisioned across the multiple clients through a public 
and private key exchange with a public and private key associated the client. 

34. (Original) An article of manufacture according to claim 29, wherein the content to 
provide instruction to cause the machine to perform operations including providing access if the 
client is authenticated further comprises the content to provide instruction to cause the machine 
to perform operations including: 

verifying with the embedded agent that a platform associated with the client is not 
compromised; and 

providing with the embedded agent the key and an assertion that the client is not 
compromised to a verification entity on the network. 
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35. (Original) An article of manufacture according to claim 34, further comprising the 
content to provide instruction to cause the machine to perform operations including indicating 
with the embedded agent to a remote network device if the client is compromised. 

36. (Original) An article of manufacture according to claim 34, further comprising the 
content to provide instruction to cause the machine to perform operations including foreclosing 
with the embedded agent network access to the client if the client is compromised. 

37. (Original) An article of manufacture according to claim 29, further comprising the 
content to provide instruction to cause the machine to perform operations including performing 
cryptographic functions on data with the key to authenticate data with the key. 

38. (Original) An article of manufacture according to claim 29, further comprising the 
content to provide instruction to cause the machine to perform operations including placing a 
derivative of the key in a header of data to be transmitted to authenticate the data with the key. 
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